Wednesday, December 14, 2011

IP Packet Filtering: iptables Explained For Beginners

iptables is a IP Filter which is shipped with kernel. Technically speaking, an IP filter will work on Network layer in TCP/IP stack but actually iptables work on data link and transport layer as well. In a broad sense, iptables consists on tables, which consists of chain which is further comprised of rules.
Default tables are:

Raw

Mangle

NAT

Filter

Default chains are (yes, they are written in upper case):

PREROUTING: used by raw, mangle and nat tables

INPUT: used by mangle and filter tables

FORWARD: used by mangle and filter tables

OUTPUT: used by raw, mangle, nat and filter tables

POSTROUTING: used by mangle and nat tables

I'll discuss about Filter table here. It is the one which is most generally used but if you are interested in others as well you can find a detailed tutorial at frozentux. Filter table uses three chains, INPUT, FORWARD and OUTPUT.

INPUT chain is for the packets meant for your own local machine. Reply of a http request made by your browser will go through INPUT chain.

OUTPUT chain is for the packets going out of your machine. The http request made by your browser will go through this chain.

FORWARD chain is for the packets which you receive but they are not meant for you. Your machine is just supposed to forward them to another device. This generally happens when the machine is configured as a gateway or something similar.

Now every iptables rules have some "target" which is executed when it is matched against a "criteria". Following are the most common targets:

ACCEPT: Packet is accepted and goes to the application for processing.

DROP: Packet is dropped. No information regarding the drop is sent to the sender.

REJECT: Packet is dropped and information (error) message is sent to the sender.

LOG: Packet details are sent to syslogd for logging.

DNAT: Rewrites the destination IP of the packet

SNAT: Rewrites the source IP of the packet

First four are used in Filter tables a lot. Now let us discuss some of the common criteria:

-p <protocol>: It matches protocols like tcp, udp, icmp and all

-s <ip_addr>: It matches source IP address

-d <ip_addr>: It matches destination IP address

--sport <port>: It matches the source port

--dport <port>: It matches the destination port

-i <interface>: It matches the interface from which the packet entered

-o <interface>: It matches the interface from which the packet exits

Now we know the basic things to start building our rules. Let us try to write some rules for a few hypothetical (or real) situations. First we'll set default policy for iptables filter table using -P flag.iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP

Now we'll allow this machine to send only http requests and ssh requests:iptables -A INPUT -p tcp -i eth0 --dport 80
iptables -A INPUT -p tcp -i eth0 --dport 22
Note that -A flag is used because we want to append these rules to current iptables config. If we do not use -A then the rules will be overwritten.

DevOps - Insights and Tutorials

About me

I am Aditya Patawari, a DevOps consultant and trainer. I specialize in Docker and related technologies. I have production experience with Enterprise Linux, Ansible, Puppet, Nagios, Docker, Python, Cloud (AWS and Google Cloud). I am primary maintainer for fedora-dockerfiles package and have contributed to several projects in config management and container ecosystem. I have been a speaker at Flock, FUDCon, NELF, GNUnify, Rootconf, FOSSAsia, CentOS Dojo, Devopsdays, FOSDEM and have delivered talks on Puppet, Ansible, Project Atomic, Kubernetes, Git, infrastructure scalability and various other topics.
Know more about me.